feat: add sub module to create alb for atlantis

infraspecdev · Jul 13, 2024 · 2f9b6cf · 2f9b6cf
1 parent a2dd076
commit 2f9b6cf
Show file tree

Hide file tree

Showing 6 changed files with 183 additions and 0 deletions.
diff --git a/modules/alb/.header.md b/modules/alb/.header.md
diff --git a/modules/alb/README.md b/modules/alb/README.md
@@ -0,0 +1,44 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_lb.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
+| [aws_lb_listener.http_listner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_listener.https_listener](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_route53_record.record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_acm_certificate.base_domain_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source |
+| [aws_route53_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_base_domain"></a> [base\_domain](#input\_base\_domain) | Base domain | `string` | n/a | yes |
+| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | List of endpoints that will expose the load balancer | `list(any)` | n/a | yes |
+| <a name="input_load_balancer_internal"></a> [load\_balancer\_internal](#input\_load\_balancer\_internal) | (Optional) If true, the LB will be internal. | `bool` | `false` | no |
+| <a name="input_load_balancer_type"></a> [load\_balancer\_type](#input\_load\_balancer\_type) | (Optional) Type of load balancer to create. | `string` | `"application"` | no |
+| <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnets for ALB | `list(string)` | n/a | yes |
+| <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | (Optional) Name of the SSL Policy for the listener. | `string` | `"ELBSecurityPolicy-2016-08"` | no |
+| <a name="input_system_name"></a> [system\_name](#input\_system\_name) | System name | `string` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID for creating the security group | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_alb_listener_arn"></a> [alb\_listener\_arn](#output\_alb\_listener\_arn) | ARN of the Application load balancer |
diff --git a/modules/alb/data.tf b/modules/alb/data.tf
@@ -0,0 +1,9 @@
+data "aws_acm_certificate" "base_domain_certificate" {
+  domain      = var.base_domain
+  statuses    = ["ISSUED"]
+  most_recent = false
+}
+
+data "aws_route53_zone" "zone" {
+  name = var.base_domain
+}
diff --git a/modules/alb/main.tf b/modules/alb/main.tf
@@ -0,0 +1,84 @@
+resource "aws_lb" "this" {
+  name               = "${var.system_name}-lb-${terraform.workspace}"
+  internal           = var.load_balancer_internal
+  load_balancer_type = var.load_balancer_type
+  security_groups    = [aws_security_group.this.id]
+  # subnet-1 , subnet-2
+  subnets = var.public_subnet_ids
+}
+
+resource "aws_security_group" "this" {
+  vpc_id      = var.vpc_id
+  name        = "${var.system_name}--${terraform.workspace}"
+  description = "Load balancer security firewall"
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.system_name}-${terraform.workspace}"
+  }
+}
+
+resource "aws_lb_listener" "https_listener" {
+  default_action {
+    type = "fixed-response"
+    fixed_response {
+      content_type = "application/json"
+      message_body = "Unauthorised"
+      status_code  = 401
+    }
+  }
+
+  protocol          = "HTTPS"
+  load_balancer_arn = aws_lb.this.arn
+  port              = 443
+  ssl_policy        = var.ssl_policy
+  certificate_arn   = data.aws_acm_certificate.base_domain_certificate.arn
+}
+
+resource "aws_route53_record" "record" {
+  for_each = toset(var.endpoints)
+  zone_id  = data.aws_route53_zone.zone.zone_id
+  name     = each.key
+  type     = "A"
+
+  alias {
+    name                   = aws_lb.this.dns_name
+    zone_id                = aws_lb.this.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_lb_listener" "http_listner" {
+  load_balancer_arn = aws_lb.this.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
diff --git a/modules/alb/outputs.tf b/modules/alb/outputs.tf
@@ -0,0 +1,4 @@
+output "alb_listener_arn" {
+  description = "ARN of the Application load balancer"
+  value       = aws_lb_listener.https_listener.arn
+}
diff --git a/modules/alb/variables.tf b/modules/alb/variables.tf
@@ -0,0 +1,42 @@
+variable "system_name" {
+  type        = string
+  description = "System name"
+}
+
+variable "load_balancer_internal" {
+  type        = bool
+  description = "(Optional) If true, the LB will be internal."
+  default     = false
+}
+
+variable "base_domain" {
+  type        = string
+  description = "Base domain"
+}
+
+variable "load_balancer_type" {
+  description = "(Optional) Type of load balancer to create."
+  type        = string
+  default     = "application"
+}
+
+variable "ssl_policy" {
+  type        = string
+  description = "(Optional) Name of the SSL Policy for the listener."
+  default     = "ELBSecurityPolicy-2016-08"
+}
+
+variable "endpoints" {
+  description = "List of endpoints that will expose the load balancer"
+  type        = list(any)
+}
+
+variable "public_subnet_ids" {
+  description = "List of public subnets for ALB"
+  type        = list(string)
+}
+
+variable "vpc_id" {
+  description = "VPC ID for creating the security group"
+  type        = string
+}